Request for Mozilla Position on an Emerging Web Specification Specification Title: Web Environment Integrity API Specification or proposal URL (if available): https://rupertbenwiser.github.io/Web-E...
Can someone explain to me the google API and DRM situation in stupid people terms? I’m stupidly tech illiterate but I know that this is a big deal and I would like to understand
Sure thing. With this current proposal, when you visit a website, the site asks your browser if you’re willing to display it as intended, basically with all and any adverts. If the answer is no, then you can’t see the content, if the answer is yes, then you’re likely using Chrome or a Chromium based browser and Google can guarantee more ad impressions, because they’re first and foremost an advert selling company.
I may not be 100% right, as I haven’t looked at it in detail, but I think it’s even a bit more than that. Since the way that’s proven is by the browser vendor signing the request (I assume with an HTTP header or something), you could also verify it’s from a specific vendor. So even if Mozilla says, yes, we’ll display your ads, a website could still lock down to Chrome. It would probably also significantly hamper new browsers, and browsers with a security/anti-ad focus, as they won’t be recognised by major websites that use the new protocol until they have market share, which they won’t get if they don’t have access to major websites.
A) Maybe not you, maybe not me or anyone else here, but 99.99% of the rest of the world? And when the rest leave, is Mozilla really going to be able to justify maintaining a browser for those that remain?
B) There might not be a website that would do it, but what about if practically all websites with any corporate backing did it?
This is the fundamental point that so many techies fail to get. Saying “I’ll be fine, I’ll do X” is irrelevant. If nobody’s doing what you want to do, then eventually you won’t be able to do it either.
Because it’s not just going to say yes. It’s going to say yes, and then present an unique key that browser made for themselves. Other browsers might be able to spoof the key, but the proposal might have cryptographically expensive to even try.
And that signature can’t be spoofed? Or the browser can’t be sandboxed and quarantined so it is made unaware of such software, and the software applied retroactively?
People will always find a workaround, look at rooting of phones for example. But they shouldn’t have to. I mean look at how banking apps refuse to work on rooted phones but work in a browser on your desktop without any issues. It will be the same with this. Your device is rooted, we can’t show you this webpage.
… yes, and I am obviously very against giving that same power to websites lol. An app is built from the ground up as a UX created by the company, and that is what you are signing up for when you use an app. A browser should be a contained way of rendering data from some webserver according to a user’s preferences. Google is apparently trying to “app-ify” web protocols in order to give themselves more power over a user’s experience to the detriment of the user.
True, but that’s within their own ecosystem. The internet is not owned by Google. But I guess a certain part of the majority wants it that way with how popular Chromium based browsers are.
How could it not be a browser check if the website relies on the browser to be a middle man? The WebDRM that was pushed by a terrorist organization W3C, currently requires per-browser licensing.
Per wikipedia:
EME has been highly controversial because it places a necessarily proprietary, closed decryption component which requires per-browser licensing fees into what might otherwise be an entirely open and free software ecosystem.
if they dont like your browser you cant view the site , ultimately its gonna be google who will be deciding what conditions your browser has to fulfill to be approved and the big one they wont say outright is adblockers , if you have an adblocker they will not allow you to veiw the site
I bet you heard about safetynet on android devices. It is a service that checks if you run a genuine licensed not-modified version of android. If not - app developer can just restrict you access to the app. It is mostly used by banking apps, but there’re many examples of not security critical apps utilize this.
Google wants to do the same but for browsers and websites. If you run firefox or modified chrome or use adblocks: youtube, twitter, etc. would be able to detect it and can restrict access to the website.
If you root your device correctly. Can’t expect most mobile users to do that. Can’t expect users with locked bootloaders to do that. Can’t even expect many power users to do that. A lot of very tech literate people I know that customise their computer OS heavily still don’t want to root their phone.
Can someone explain to me the google API and DRM situation in stupid people terms? I’m stupidly tech illiterate but I know that this is a big deal and I would like to understand
Sure thing. With this current proposal, when you visit a website, the site asks your browser if you’re willing to display it as intended, basically with all and any adverts. If the answer is no, then you can’t see the content, if the answer is yes, then you’re likely using Chrome or a Chromium based browser and Google can guarantee more ad impressions, because they’re first and foremost an advert selling company.
I may not be 100% right, as I haven’t looked at it in detail, but I think it’s even a bit more than that. Since the way that’s proven is by the browser vendor signing the request (I assume with an HTTP header or something), you could also verify it’s from a specific vendor. So even if Mozilla says, yes, we’ll display your ads, a website could still lock down to Chrome. It would probably also significantly hamper new browsers, and browsers with a security/anti-ad focus, as they won’t be recognised by major websites that use the new protocol until they have market share, which they won’t get if they don’t have access to major websites.
deleted by creator
A) Maybe not you, maybe not me or anyone else here, but 99.99% of the rest of the world? And when the rest leave, is Mozilla really going to be able to justify maintaining a browser for those that remain? B) There might not be a website that would do it, but what about if practically all websites with any corporate backing did it?
This is the fundamental point that so many techies fail to get. Saying “I’ll be fine, I’ll do X” is irrelevant. If nobody’s doing what you want to do, then eventually you won’t be able to do it either.
I mean, they already do that by filtering out user agents. But this is certainly a step beyond.
Which is why all browsers cross identify as other browsers. This would make it easier for sites to block and harder for browsers to work around.
Why can’t your browser lie and say “yes of course I’m displaying everything my fingers definitely aren’t crossed behind my back”?
Because it’s not just going to say yes. It’s going to say yes, and then present an unique key that browser made for themselves. Other browsers might be able to spoof the key, but the proposal might have cryptographically expensive to even try.
Thanks so much, I understand now. God, is that a shitty move for Google to pull
What about replying yes, then blocking ads?
Your device would return a signature to say that there’s no adblocking software on the device.
And that signature can’t be spoofed? Or the browser can’t be sandboxed and quarantined so it is made unaware of such software, and the software applied retroactively?
People will always find a workaround, look at rooting of phones for example. But they shouldn’t have to. I mean look at how banking apps refuse to work on rooted phones but work in a browser on your desktop without any issues. It will be the same with this. Your device is rooted, we can’t show you this webpage.
That’s not true - you can still use ad blockers etc as normal.
It’s also not a browser check, it’s a device check. It’s to check that the device can be trusted, like android itself hasn’t been tampered with.
It’s literallly impossible for there to be a valid reason for a website to be entitled to know that under any circumstances.
That’s equally stupid though… why shouldn’t I be able to tamper with my phone’s operating system? And how is it any of a website’s business if I do?
You can tamper all you want, but apps can already block access to devices that have been tampered with. This just gives that same power to websites.
… yes, and I am obviously very against giving that same power to websites lol. An app is built from the ground up as a UX created by the company, and that is what you are signing up for when you use an app. A browser should be a contained way of rendering data from some webserver according to a user’s preferences. Google is apparently trying to “app-ify” web protocols in order to give themselves more power over a user’s experience to the detriment of the user.
So people with custom roms or on various Linux distros would be fucked?
Well with custom roms they already are for many apps.
True, but that’s within their own ecosystem. The internet is not owned by Google. But I guess a certain part of the majority wants it that way with how popular Chromium based browsers are.
How could it not be a browser check if the website relies on the browser to be a middle man? The WebDRM that was pushed by a terrorist organization W3C, currently requires per-browser licensing.
Per wikipedia:
if they dont like your browser you cant view the site , ultimately its gonna be google who will be deciding what conditions your browser has to fulfill to be approved and the big one they wont say outright is adblockers , if you have an adblocker they will not allow you to veiw the site
I bet you heard about safetynet on android devices. It is a service that checks if you run a genuine licensed not-modified version of android. If not - app developer can just restrict you access to the app. It is mostly used by banking apps, but there’re many examples of not security critical apps utilize this.
Google wants to do the same but for browsers and websites. If you run firefox or modified chrome or use adblocks: youtube, twitter, etc. would be able to detect it and can restrict access to the website.
SafetyNet is fairly easy to defeat.
If you root your device correctly. Can’t expect most mobile users to do that. Can’t expect users with locked bootloaders to do that. Can’t even expect many power users to do that. A lot of very tech literate people I know that customise their computer OS heavily still don’t want to root their phone.
Only because nobody is actually enforcing key-backed attestation.